b'September 2007\nReport No. AUD-07-013\n\n\nResponse to Privacy Program\nInformation Request in OMB\xe2\x80\x99s Fiscal\nYear 2007 Reporting Instructions for\nFISMA and Agency Privacy\nManagement\n\n\n\n            AUDIT REPORT\n\x0c                                                                                           Report No. AUD-07-013\n                                                                                                  September 2007\n\n\n                                                        Response to Privacy Program Information\n                                                        Request in OMB\xe2\x80\x99s Fiscal Year 2007\n                                                        Reporting Instructions for FISMA and\n                                                        Agency Privacy Management\nBackground and Purpose of Audit\n                                                        Results of Audit\nIn fulfilling its legislative mandate of insuring\ndeposits, supervising financial institutions, and\nmanaging receiverships and in its role as a federal     The FDIC continues to take action to safeguard its PII and\nemployer and acquirer of services, the FDIC             related systems and address privacy-related provisions of\ncreates and acquires a significant amount of            recent OMB memoranda. Of particular note, the FDIC has\npersonally identifiable information (PII)               appointed a senior agency official for privacy, conducted\n(e.g., name, Social Security number, or biometric       privacy reviews prescribed by OMB, and provided\nrecords) related to depositors and borrowers at         employees and contractors with privacy-awareness training.\nFDIC-insured financial institutions and FDIC            Importantly, the FDIC has established a process for\nemployees and contractors. Much of the PII              conducting PIAs of its information systems containing PII\nmanaged by the FDIC and its contractors falls\n                                                        that is consistent with relevant privacy-related policy,\nwithin the scope of several statutes and regulations\nintended to protect such information from\n                                                        guidance, and standards. In addition, the FDIC is making\nunauthorized disclosure.                                satisfactory progress in implementing the provisions of OMB\n                                                        Memorandum M-06-15. Further, the FDIC is working to\nOn July 25, 2007, the Office of Management and          complete a number of ongoing privacy program initiatives to\nBudget (OMB) issued Memorandum M-07-19,                 safeguard its PII and related systems consistent with privacy-\nFY 2007 Reporting Instructions for the Federal          related statutes, policies, and guidelines. Such initiatives\nInformation Security Management Act and Agency          include:\nPrivacy Management. The memorandum directs\nagency Inspectors General to provide relevant               \xe2\x80\xa2   Deploying new software that automatically encrypts\nstatus information on agency privacy programs. In\n                                                                sensitive information stored on portable computing\naddition, the memorandum directs agency IGs to\nassess (1) the quality of their agencies\xe2\x80\x99 process for           devices (e.g., laptops and flash drives).\nconducting privacy impact assessments (PIA) of              \xe2\x80\xa2   Conducting a comprehensive review of access\nsystems containing PII and (2) the progress the                 controls over sensitive information stored on network\nagency is making in implementing PII safeguards                 shared drives throughout the Corporation.\nrecommended in OMB Memorandum M-06-15,                      \xe2\x80\xa2   Ensuring that access to applications containing PII is\nSafeguarding Personally Identifiable Information,               appropriately limited.\ndated May 2, 2006. OMB defines a PIA as a                   \xe2\x80\xa2   Referencing in corporate policy the FDIC\xe2\x80\x99s new\nprocess for (1) examining the risks of using\n                                                                breach notification plan and procedures for\ninformation technology to collect, maintain, and\ndisseminate PII from or about members of the\n                                                                responding to PII breaches.\npublic and for (2) identifying and evaluating               \xe2\x80\xa2   Implementing measures to ensure technologies used\nprotections and alternative processes to mitigate the           to collect, use, store, and disclose PII allow for\nimpact to privacy of collecting such information.               continuous auditing of compliance with stated\n                                                                privacy policies and practices.\nConsistent with the provisions of OMB                       \xe2\x80\xa2   Logging all computer-readable data extracts from\nMemorandum M-07-19, the objective of the audit                  databases holding sensitive information and verifying\nwas to assess the status of the FDIC\xe2\x80\x99s privacy                  that each extract, including sensitive data, has been\nprogram activities and initiatives. Our work\n                                                                erased within 90 days or its use is still required.\nfocused on the status of the FDIC\xe2\x80\x99s efforts to\naddress selected key provisions of privacy-related\nmemoranda recently issued by OMB.                       This report contains no recommendations. We plan to follow\n                                                        up on the status of these initiatives as part of future privacy\nTo view the full report, go to                          reviews.\nwww.fdicig.gov/2007reports.asp\n\x0c                                TABLE OF CONTENTS\n\n\nBACKGROUND                                                                   2\n\nRESULTS OF AUDIT                                                             4\n\nTHE FDIC\xe2\x80\x99s PRIVACY IMPACT ASSESSMENT PROCESS                                5\n\nTHE FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING THE PROVISIONS OF OMB                    6\nMEMORANDUM M-06-15\n\nSTATUS OF THE FDIC\xe2\x80\x99S ACTIONS TO ADDRESS SELECTED KEY                         8\nPROVISIONS OF OMB PRIVACY-RELATED MEMORANDA\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                               13\nAPPENDIX II: PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES                 15\n\nTABLES\nTable 1: Status of FDIC Actions Related to Selected Key Provisions of OMB    7\n         Memorandum M-06-15\nTable 2: Status of FDIC Actions to Address Selected Key Provisions of        8\n         Privacy-related Memoranda Issued by the OMB\n\nFIGURE\nThe FDIC\xe2\x80\x99s Privacy Program Components                                        3\n\n\n ACRONYMS\n\n CD/DVD         Compact Disk/Digital Versatile Disk\n CIO            Chief Information Officer\n CPO            Chief Privacy Officer\n DIT            Division of Information Technology\n FIPS PUB       Federal Information Processing Standards Publication\n FISMA          Federal Information Security Management Act\n FMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act\n IG             Inspector General\n IT             Information Technology\n KPMG           KPMG LLP\n NIST           National Institute of Standards and Technology\n OIG            Office of Inspector General\n OMB            Office of Management and Budget\n PIA            Privacy Impact Assessment\n PII            Personally Identifiable Information\n POA&M          Plan of Action and Milestones\n PTA            Privacy Threshold Assessment\n RUP\xc2\xae           Rational Unified Process\n SP             Special Publication\n SSN            Social Security Number\n USB            Universal Serial Bus\n\x0cFederal Deposit Insurance Corporation                                                                 Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                  Office of Inspector General\n\n\nDATE:                                     September 26, 2007\n\nMEMORANDUM TO:                            Michael E. Bartell, Chief Privacy Officer\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  Response to Privacy Program Information Request in\n                                          OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for FISMA\n                                          and Agency Privacy Management\n                                          (Report No. 07-013)\n\n\nThis report presents the results of our audit of the status of the FDIC\xe2\x80\x99s privacy program.\nWe performed the audit in response to a request for privacy program information in the\nOffice of Management and Budget\xe2\x80\x99s (OMB) July 25, 2007 Memorandum M-07-19,\nFY 2007 Reporting Instructions for the Federal Information Security Management Act\n[FISMA] and Agency Privacy Management. The OMB memorandum directs agency\nInspectors General (IG) to provide relevant status information on agency privacy\nprograms. In addition, the memorandum directs agency IGs to assess (1) the quality of\ntheir agencies\xe2\x80\x99 process for conducting privacy impact assessments (PIA) 1 of systems\ncontaining PII 2 and (2) the progress the agency is making in implementing PII safeguards\nrecommended in OMB Memorandum M-06-15, Safeguarding Personally Identifiable\nInformation, dated May 22, 2006. As part of our audit, we assessed the status of the\nFDIC\xe2\x80\x99s efforts to address selected key provisions of privacy-related memoranda recently\nissued by OMB.\n\nThe objective of the audit was to assess the status of the FDIC\xe2\x80\x99s privacy program\nactivities and initiatives. As part of our work, we followed up on privacy-related issues\nidentified in prior audit reports, particularly, The FDIC\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act, 2005 (Report No. 07-003) issued in January 2007\nand prepared by KPMG, LLP (KPMG) under contract with the FDIC Office of Inspector\nGeneral (OIG). The OIG contracted separately with KPMG to evaluate and report on the\n\n1\n    According to OMB Memorandum M-07-19, a PIA is a process for (1) examining the risks and\n    ramifications of using information technology (IT) to collect, maintain, and disseminate personally\n    identifiable information (PII) from or about members of the public and for (2) identifying and evaluating\n    protections and alternative processes to mitigate the impact to privacy of collecting such information.\n2\n    OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally\n    Identifiable Information, defines PII as information that can be used to distinguish or trace an\n    individual\xe2\x80\x99s identity, such as their name, Social Security number (SSN), biometric records, etc., alone, or\n    when combined with other personal or identifying information that is linked or linkable to a specific\n    individual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc.\n\x0cFDIC\xe2\x80\x99s information security program and practices pursuant to FISMA. As part of its\ninformation security program evaluation, KPMG prepared responses to security-related\nquestions directed to agency IGs in OMB Memorandum M-07-19. KPMG\xe2\x80\x99s security\nprogram evaluation report, 3 together with this report, fulfill the OIG\xe2\x80\x99s reporting\nresponsibilities under FISMA and related OMB guidance. We conducted this audit in\naccordance with generally accepted government auditing standards. Appendix I of this\nreport discusses our audit objective, scope, and methodology in detail.\n\n\nBACKGROUND\n\nIn fulfilling its legislative mandate of insuring deposits, supervising financial institutions,\nand managing receiverships, and in its role as a federal employer and acquirer of services,\nthe FDIC creates and obtains a significant amount of PII related to depositors and\nborrowers at FDIC-insured financial institutions and FDIC employees and contractors.\nImplementing proper security controls over this PII is critical to mitigating the risk of an\nunauthorized disclosure that could lead to identity theft, consumer fraud, and potential\nlegal liability or public embarrassment for the Corporation. Widely publicized reports of\ndata security breaches at federal agencies have raised privacy concerns among federal\nagencies, the public, and the Congress and underscore the importance of implementing a\nstrong, enterprise-wide privacy program.\n\nMuch of the PII managed by the FDIC and its contractors falls within the scope of several\nstatutes and regulations intended to protect such information from unauthorized\ndisclosure. These statutes and regulations include section 522 of the Consolidated\nAppropriations Act, 2005 (Division H of the Transportation, Treasury, Independent\nAgencies, and General Government Appropriations Act, 2005) (section 522); the Privacy\nAct of 1974; section 208 of the E-Government Act of 2002; and the FDIC\xe2\x80\x99s Rules and\nRegulations\xe2\x80\x94Parts 309, Disclosure of Information, and 310, Privacy Act Regulations.\nIn addition, OMB has issued a number of privacy-related memoranda containing policies\nand guidelines aimed at protecting PII at federal departments and agencies. The\nfollowing summarizes the key OMB privacy-related memoranda included in our audit.\n\n      \xe2\x80\xa2    Memorandum M-07-16, Safeguarding Against and Responding to the Breach\n           of Personally Identifiable Information, dated May 22, 2007, requires agencies\n           to develop and implement a breach notification plan and policy within 120 days.\n      \xe2\x80\xa2    Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n           Information and Incorporating the Cost for Security in Agency Information\n           Technology Investments, dated July 12, 2006, provides guidance to agencies for\n           reporting security incidents involving PII and reminds agencies of existing\n           requirements to protect PII.\n      \xe2\x80\xa2    Memorandum M-06-16, Protection of Sensitive Agency Information, dated\n           June 23, 2006, recommends that federal departments and agencies implement a\n\n\n3\n    KPMG report entitled, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program \xe2\x80\x93 2007\n    (FDIC OIG Report No. AUD-07-014, dated September 27, 2007).\n\n                                                      2\n\x0c       series of controls to safeguard the remote access, transport, and storage of\n       sensitive information, including PII.\n   \xe2\x80\xa2   Memorandum M-06-15, Safeguarding Personally Identifiable Information,\n       dated May 22, 2006, re-emphasizes agency responsibilities to safeguard PII and\n       train employees on their privacy responsibilities. The memorandum directs\n       agencies to review their privacy policies and processes and take corrective action,\n       as appropriate, to ensure adequate safeguards to prevent the intentional or\n       negligent misuse of, or unauthorized access to, PII.\n   \xe2\x80\xa2   Memorandum M-05-08, Designation of Senior Agency Officials for Privacy,\n       dated February 11, 2005, requests executive departments and agencies to\n       designate a senior official with agency-wide responsibility for information\n       privacy issues.\n   \xe2\x80\xa2   Memorandum M-03-22, OMB Guidance for Implementing the Privacy\n       Provisions of the E-Government Act of 2002, dated September 26, 2003,\n       provides guidance to agencies on implementing the privacy provisions of the\n       E-Government Act of 2002 and directs agencies to review the manner in which\n       information on individuals is handled within agencies.\n\nThe extent to which these memoranda are legally binding on the FDIC varies. Similarly,\nthe extent of the FDIC\xe2\x80\x99s voluntary compliance varies. Appendix II contains further\ninformation as well as a brief description of pertinent privacy-related laws, policies, and\nguidelines (including OMB memoranda) and their legal effect on the FDIC.\n\nThe FDIC\xe2\x80\x99s Privacy Program\n\nThe FDIC has established a corporate-\nwide privacy program to protect the PII it\nmanages from unauthorized use, access,\ndisclosure, or sharing and to safeguard\nassociated information systems from\nunauthorized access, modification,\ndisruption, or destruction. As illustrated\nin the figure, key components of the\nFDIC\xe2\x80\x99s privacy program include, but are\nnot limited to, a Chief Privacy Officer\n(CPO) with overall responsibility for the\nprogram; a Privacy Program Manager\nwho supports the CPO in developing and\nimplementing privacy requirements;\npolicies and procedures for managing and\nprotecting PII; a process for identifying\nPII contained in applications; and\nprocedures for conducting PIAs of\napplications and systems containing PII.\nThe FDIC\xe2\x80\x99s privacy program also includes mandatory privacy-awareness training for\nemployees and contractors, a Web site to provide information regarding privacy\nrequirements, and targeted privacy briefings for personnel responsible for handling PII.\n\n                                             3\n\x0cIn addition, the FDIC has placed bins and media consoles in its facilities to securely\ndispose of sensitive information (including PII), developed a standard privacy clause for\nits contracts, and conducted an initial assessment of FDIC contractors that access,\nmaintain, or manipulate PII for the FDIC to determine the types of PII they possess and\nwhether independent security reviews have been performed.\n\nThe FDIC recognizes that implementing effective measures to protect PII requires a\nsustained effort. Toward that end, the FDIC has designated privacy as an issue\nwarranting special attention for 2007 in its annual assurance statement guidance to FDIC\nmanagers in support of the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\nAdditionally, the FDIC recently hired a staff member to support its privacy program and\nplans to hire another staff member in the near future. Finally, the FDIC is conducting\nwalk-throughs of its facilities to identify instances in which PII needs to be better secured\nand is integrating its key ongoing and planned privacy program control activities into a\nformal documented framework.\n\n\nRESULTS OF AUDIT\n\nThe FDIC continues to take action to safeguard its PII and related systems and address\nprivacy-related provisions of recent OMB memoranda. Of particular note, the FDIC has\nappointed a senior agency official for privacy, conducted privacy reviews prescribed by\nOMB, 4 and provided employees and contractors with privacy-awareness training.\nImportantly, the FDIC has established a process for conducting privacy impact\nassessments of its information systems containing PII that is consistent with relevant\nprivacy-related policy, guidance, and standards. In addition, the FDIC is making\nsatisfactory progress in implementing the provisions of OMB Memorandum M-06-15,\nSafeguarding Personally Identifiable Information, dated May 22, 2006. Further, the\nFDIC is working to complete a number of ongoing privacy program initiatives to\nsafeguard its PII and related systems consistent with privacy-related statutes, policies,\nand guidelines. Such initiatives include:\n\n      \xe2\x80\xa2    Deploying new software that automatically encrypts sensitive information stored\n           on portable computing devices, such as laptop computers, CDs/DVDs, 5 and USB 6\n           flash drives, as recommended in OMB Memorandum M-06-16. The FDIC is in\n           the process of replacing its older encryption solutions that require manual\n\n\n\n\n4\n    OMB Circular No. A-130, Management of Federal Information Resources; Appendix I, Federal Agency\n    Responsibilities for Maintaining Records About Individuals, requires agencies to conduct reviews of the\n    following topics, at the indicated frequency: Section (m) Contracts, Recordkeeping Practices, Privacy Act\n    Training, Violations, and System of Records Notices, every 2 years; Routine Use Disclosures and Exemption\n    of System of Records reviews, every 4 years; and Matching Programs, annually.\n5\n    A Compact Disk and Digital Versatile Disk (CD/DVD) are optical digital disc formats used to store programs\n    and data files.\n6\n    A Universal Serial Bus (USB) flash drive is a memory card that emulates a small disk drive and allows data\n    to be easily transferred from one computer to another.\n\n                                                       4\n\x0c         intervention by users, limiting assurance that sensitive information is consistently\n         encrypted. 7\n    \xe2\x80\xa2    Conducting a comprehensive review of access controls over sensitive information\n         stored on network shared drives throughout the Corporation to reduce the risk of\n         unauthorized disclosure of sensitive information, including PII, consistent with\n         the security principle of \xe2\x80\x9cleast privilege.\xe2\x80\x9d 8, 9\n    \xe2\x80\xa2    Ensuring that access to applications containing PII is limited consistent with the\n         security principle of \xe2\x80\x9cleast privilege.\xe2\x80\x9d 10\n    \xe2\x80\xa2    Referencing in corporate policy the FDIC\xe2\x80\x99s new breach notification plan and\n         procedures for responding to PII breaches.\n    \xe2\x80\xa2    Implementing measures to ensure technologies used to collect, use, store, and\n         disclose PII allow for continuous auditing 11 of compliance with stated privacy\n         policies and practices as required by section 522.\n    \xe2\x80\xa2    Logging all computer-readable data extracts from databases holding sensitive\n         information and verifying that each extract, including sensitive data, has been\n         erased within 90 days or its use is still required as recommended in OMB\n         Memorandum M-06-16.\n\nThis report contains no recommendations. We plan to follow up on the status of these\ninitiatives as part of privacy reviews conducted pursuant to section 522.\n\n\nTHE FDIC\xe2\x80\x99s PRIVACY IMPACT ASSESSMENT PROCESS\n\nSection 208 of the E-Government Act of 2002, as implemented through OMB\nMemorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002, requires agencies to conduct PIAs of all information systems\ncontaining PII and make the completed PIAs generally available to the public. Section\n208 requires that published PIAs describe, among other things, the information being\ncollected, why the information is being collected, and the agency\xe2\x80\x99s intended use of the\ninformation. PIAs are intended to promote the public trust through increased\ntransparency and assurances that personal information is properly protected.\n\n\n7\n   FDIC OIG report entitled, Division of Resolutions and Receiverships Protection of Electronic Records\n   (Report No. AUD-07-010 dated September 2007), states that sensitive information, including PII, stored on\n   portable computing devices was not being encrypted and that access to sensitive information, including PII,\n   stored on network shared drives and network applications was not adequately restricted.\n 8\n   OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources, defines\n    the term \xe2\x80\x9cleast privilege\xe2\x80\x9d as the practice of restricting user access to only those IT resources (including\n   data) needed to perform official duties.\n 9\n   See footnote 7.\n10\n    See footnotes 7 and 8.\n11\n    In this context, continuous auditing refers to management\xe2\x80\x99s review of audit records (i.e., audit trails) for\n    indications of inappropriate or unusual activity. Special Publication (SP) 800-53, Revision 1,\n    Recommended Security Controls for Federal Information Systems, issued by the National Institute of\n    Standards and Technology (NIST) (a non-regulatory federal agency within the U.S. Department of\n    Commerce) recommends that agencies configure their information systems to generate audit trails based\n    on organization-defined auditable events and regularly analyze those audit trails.\n\n                                                       5\n\x0cOMB Memorandum M-07-19 directs agency IGs to assess the quality of their respective\nagency\xe2\x80\x99s PIA process, including the agency\xe2\x80\x99s adherence to privacy-related policy,\nguidance, and standards. In summary, we found that the FDIC\xe2\x80\x99s PIA process was\nsatisfactory and consistent with relevant privacy-related policy, guidance, and standards.\nKPMG evaluated and reported on the adequacy of the FDIC\xe2\x80\x99s PIA process in its January\n2007 audit report, The FDIC\xe2\x80\x99s Compliance With Section 522 of the Consolidated\nAppropriations Act, 2005. KPMG concluded that the FDIC had established a formal\nprocess for conducting PIAs of its applications and systems containing PII and posting\ncompleted PIAs on its public Web site. However, KPMG noted that the FDIC\xe2\x80\x99s PIA\nprocess did not always ensure that publicly-posted PIAs contain sufficient information\nregarding the FDIC\xe2\x80\x99s collection or use of PII consistent with OMB policy and section\n208 of the E-Government Act of 2002. KPMG recommended that the FDIC\xe2\x80\x99s CPO\nenhance the FDIC\xe2\x80\x99s PIA process and review all publicly-posted PIAs to determine\nwhether they contain adequate disclosure regarding the types of PII used and the FDIC\xe2\x80\x99s\nuse of PII.\n\nIn response to KPMG\xe2\x80\x99s recommendations, the CPO completed a review of all the PIAs\nposted on the FDIC\xe2\x80\x99s public Web site and made revisions, where warranted, to ensure\nthat disclosures regarding the types of PII used in the PIAs were adequate and that\ndescriptions of the FDIC\xe2\x80\x99s use of PII also were adequate. The CPO also strengthened the\nFDIC\xe2\x80\x99s PIA procedures by developing a PII checklist to be completed during the PIA\nprocess. Further, the FDIC added resources to its privacy program to help ensure that\nPIAs are thoroughly reviewed prior to being posted on the Web site.\n\n\nTHE FDIC\xe2\x80\x99S PROGRESS IN IMPLEMENTING THE PROVISIONS OF OMB\nMEMORANDUM M-06-15\n\nOMB Memorandum M-06-15 re-emphasizes agency responsibilities, under existing law\nand policy, to appropriately safeguard PII and train agency employees on their privacy\nresponsibilities. Further, OMB Memorandum M-07-19 directs agency IGs to assess their\nagencies\xe2\x80\x99 (1) progress in implementing the provisions of OMB Memorandum\nM-06-15 since the most recent self-review, including an agency\xe2\x80\x99s policies and processes,\n(2) administrative, technical, and physical means used to control and protect PII. In\nsummary, we concluded that the FDIC is making satisfactory progress in implementing\nthe provisions of OMB Memorandum M-06-15. Table 1, on the next page, identifies\nselected key provisions of OMB Memorandum M-06-15 and summarizes the status of the\nFDIC\xe2\x80\x99s actions related to each of those provisions.\n\n\n\n\n                                             6\n\x0cTable 1: Status of FDIC Actions Related to Selected Key Provisions of OMB\n         Memorandum M-06-15\n Selected Key Provisions            Status of FDIC Actions\n The Senior Official for Privacy shall               The FDIC completed a review of its privacy\n conduct a review of the agency\xe2\x80\x99s                    program policies and Web sites on August 10, 2006.\n privacy program policies and processes              In addition, the FDIC has completed reviews of its\n and take corrective action, as                      compliance with various provisions of the Privacy\n appropriate, to ensure adequate                     Act of 1974 as required by OMB Circular No. A-\n safeguards are in place to prevent the              130, Appendix I, Federal Agency Responsibilities\n intentional or negligent misuse of, or              for Maintaining Records About Individuals.\n unauthorized access to, PII. The                    Further, the FDIC\xe2\x80\x99s Division of Information\n review must address all administrative,             Technology (DIT) established a process for\n technical, and physical means used by               periodically conducting walk-throughs of FDIC\n the agency to control such information,             facilities to identify potentially vulnerable PII.\n including, but not limited to,\n procedures and restrictions on the use\n or removal of PII beyond agency\n premises or control.\n\n Agencies shall include any privacy                  The FDIC reports its high-level, systemic privacy-\n weaknesses identified in security Plans             related weaknesses to OMB in an agency-wide\n of Action and Milestones (POA&M)                    POA&M on an annual basis. The FDIC tracks and\n already required by FISMA.                          reports its other privacy program deficiencies and\n                                                     initiatives through various means, such as monthly\n                                                     status reports, a project plan, and the Internal Risks\n                                                     Information System (IRIS). 12 In addition, the FDIC\n                                                     is working to develop a formal, documented privacy\n                                                     program framework by December 15, 2007. The\n                                                     framework will document and describe the\n                                                     Corporation\xe2\x80\x99s privacy program goals and objectives,\n                                                     performance measures, organization and\n                                                     relationships of key initiatives, training and\n                                                     awareness strategy, and methods for reporting.\n\n\n\n\n12\n      IRIS is the FDIC\xe2\x80\x99s official tracking database for all U.S. Government Accountability Office and OIG audits\n     and reviews of the FDIC and is used to track audit findings/conditions, recommendations, and corrective\n     actions/milestones. FDIC divisions and offices can also use IRIS to track the results of their internal control\n     reviews, visitations, and other activities related to managing risks.\n\n\n                                                           7\n\x0c Selected Key Provisions                     Status of FDIC Actions\n Agencies shall remind their employees       The FDIC sent a global e-mail message to all\n of their specific responsibilities for      employees and contractors on August 8, 2006\n safeguarding PII, the rules for             reminding them of their responsibilities for\n acquiring and using such information,       safeguarding PII, the rules for acquiring and using\n and the penalties for violating these       such information, and the penalties for violating\n rules.                                      these rules. The CPO issued a follow-up global e-\n                                             mail message on May 3, 2007, in conjunction with\n                                             the issuance of FDIC Circular 1360.9, Protecting\n                                             Sensitive Information, also dated May 3, 2007. The\n                                             message again reminded all employees and\n                                             contractors of their responsibilities regarding the\n                                             protection of PII. In addition, the FDIC requires its\n                                             employees and contractors to certify, on an annual\n                                             basis, the completion of privacy-awareness training\n                                             that addresses responsibilities for safeguarding PII,\n                                             the rules for acquiring and using such information,\n                                             and the penalties for violating those rules.\n\n Agencies shall report security incidents    The FDIC has established and implemented policy\n to proper authorities, including IGs;       and procedures for reporting security incidents to\n other law enforcement; and in certain       proper authorities. In addition, the FDIC developed\n circumstances, the U.S. Department of       a breach notification plan and procedures in\n Homeland Security.                          response to OMB Memorandum M-07-16.\n\n\n\nSTATUS OF THE FDIC\xe2\x80\x99S ACTIONS TO ADDRESS SELECTED KEY\nPROVISIONS OF OMB PRIVACY-RELATED MEMORANDA\n\nThe FDIC has a number of initiatives underway to ensure its PII and related systems are\nsafeguarded consistent with privacy-related statutes, policies, and guidelines. Table 2\nbelow identifies selected key provisions of privacy-related memoranda recently issued by\nthe OMB and the status of the FDIC\xe2\x80\x99s actions with regard to each of those provisions.\nWe selected these provisions as being most germane to the reporting questions directed to\nsenior agency privacy officials in section D of OMB Memorandum M-07-19 and to the\nFDIC\xe2\x80\x99s privacy program.\n\nTable 2: Status of FDIC Actions to Address Selected Key Provisions of Privacy-\n         related Memoranda Issued by the OMB\n Selected Key Privacy Provisions            Status of FDIC Actions\n of OMB Memoranda\n OMB Memorandum M-03-22,\n OMB Guidance for Implementing\n the Privacy Provisions of the\n E-Government Act of 2002\n PIA Processes. The agency conducts         The FDIC has established and implemented a formal\n PIAs for electronic information            process for conducting PIAs of its applications and\n systems and collections and, in            systems that contain PII. The FDIC posts its PIAs on\n\n                                                  8\n\x0c Selected Key Privacy Provisions                  Status of FDIC Actions\n of OMB Memoranda\n general, makes them available to the             its public Web site consistent with OMB policy and the\n public.                                          E-Government Act of 2002.\n\n\n Web Privacy Policies. The agency                 The FDIC has posted a privacy policy describing its\n posts privacy policies on its public             privacy practices (e.g., type of information collected,\n Web site(s).                                     how the information is used, and who has access to the\n                                                  information) on its public Web site.\n\n Machine-readable Policies. The                   The FDIC\xe2\x80\x99s public Web site contains machine-readable\n agency translates privacy policies into          Web site policies.\n a standardized machine-readable\n format.\n\n Persistent Tracking Technology.                  The FDIC uses persistent tracking technology for two\n The agency prohibits the use of                  of its applications: the Statistics on Depository\n persistent tracking technology (i.e.,            Institutions and FDICconnect. 14 In both cases, the use\n cookies) or any other means (e.g.,               of persistent tracking technology is approved in writing\n Web beacons 13 ) to track visitors\xe2\x80\x99              by the CPO. In addition, the FDIC has in place a DIT\n activity on the Internet, except when            policy regarding the use of persistent tracking\n properly approved by a senior agency             technology. The FDIC is drafting a similar corporate\n official due to a compelling need.               policy to ensure compliance with the policy among all\n                                                  divisions of the FDIC.\n\n OMB Memorandum M-05-08,\n Designation of Senior Agency\n Officials for Privacy\n Senior Agency Officials for Privacy.             The FDIC has designated the CPO as the senior agency\n The Agency designates a senior                   official for privacy; the CPO has overall agency-wide\n official who has overall, agency-wide            responsibility for information privacy issues. The\n responsibility for information privacy           FDIC has also designated a Privacy Program Manager\n issues.                                          to assist the CPO in implementing the FDIC\xe2\x80\x99s privacy\n                                                  program. Further, the FDIC has hired one additional\n                                                  staff member and is in the process of filling a\n                                                  remaining position to support the privacy program.\n\n OMB Memorandum M-06-16,\n Protection of Sensitive Agency\n Information\n Encryption of Sensitive Data on                  The FDIC is in the process of replacing its older laptop\n Mobile Computing Devices. The                    encryption solutions that require manual intervention\n agency encrypts all data on mobile               by users, limiting management\xe2\x80\x99s assurance that\n13\n     A Web beacon is often a transparent graphic image, placed on a Web site or in an e-mail, that is used to\n     monitor the behavior of users visiting the Web site or sending e-mails. Web beacons are typically used by a\n     third party to monitor the activity of a site.\n14\n     Statistics on Depository Institutions is an advanced feature of the FDIC\xe2\x80\x99s Institution Directory that allows\n     users to obtain more detailed financial reports and provides the ability to create reports. FDICconnect is a\n     secure Web site for insured financial institutions to conduct E-commerce with the FDIC.\n\n                                                         9\n\x0c Selected Key Privacy Provisions                  Status of FDIC Actions\n of OMB Memoranda\n computing devices that carry agency              sensitive information is consistently encrypted. The\n data, unless the data are determined,            new software being deployed automatically encrypts\n in writing, to be non-sensitive.                 sensitive information stored on corporate laptop\n                                                  computers. The deployment of the new encryption\n                                                  software was approximately 60 percent complete at the\n                                                  end of August 2007 and is expected to be completed by\n                                                  the end of September 2007. Following the rollout of\n                                                  the new laptop encryption software, the FDIC plans to\n                                                  identify and deploy new software that automatically\n                                                  encrypts information stored on removable media, such\n                                                  as CDs/DVDs, USB flash drives, and personal digital\n                                                  assistants. The FDIC\xe2\x80\x99s current encryption solutions for\n                                                  removable media also require manual intervention by\n                                                  users, limiting management\xe2\x80\x99s assurance that sensitive\n                                                  information is consistently encrypted on mobile\n                                                  computing devices.\n\n                                                  The FDIC does not currently encrypt back-up tapes that\n                                                  contain sensitive information. According to an FDIC\n                                                  privacy official, the FDIC has investigated available\n                                                  encryption solutions for securing tape media and has\n                                                  not found a solution that works across the FDIC\n                                                  environment. This is an area that the FDIC will\n                                                  continue to explore following its encryption efforts for\n                                                  other portable media.\n\n Remote Access with Two-Factor                    The FDIC requires that two factors be used when\n Authentication. Allow remote                     remote users authenticate to the FDIC\xe2\x80\x99s network.\n access only with two-factor                      However, in some cases, the FDIC\xe2\x80\x99s implementation of\n authentication, 15 whereby one of the            two-factor authentication for remote access does not\n factors is provided by a device                  satisfy OMB\xe2\x80\x99s definition of two-factor authentication\n separate from the computer gaining               because the second factor is not \xe2\x80\x9ca device separate\n access.                                          from the computer gaining access.\xe2\x80\x9d\n\n\n Remote Access Time-Out. Use a                    Generally, the FDIC requires that remote users of its\n \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access            network re-authenticate after 15 minutes of inactivity.\n and mobile devices requiring user                However, there are circumstances in which remote\n re-authentication after 30 minutes of            users are not required to re-authenticate to the network\n inactivity.                                      after 30 minutes of inactivity.\n\n Data Extract Logging and 90-Day                  The FDIC is researching potential software solutions\n Deletion. Log all computer-readable              that will log all computer-readable data extracts from\n data extracts from databases holding             databases holding sensitive data.\n sensitive information, and verify that\n\n15\n     According to NIST SP 800-53 Rev. 1, Recommended Security Controls for Information Systems,\n     authentication of user identities is accomplished through the use of passwords; tokens; biometrics; or in the\n     case of multifactor authentication, some combination thereof.\n\n                                                         10\n\x0cSelected Key Privacy Provisions           Status of FDIC Actions\nof OMB Memoranda\neach extract, including sensitive data,\nhas been erased within 90 days or its\nuse is still required.\n\nNIST Security Checklist. The              DIT plans to confirm that the control measures\nagency implements a checklist,            described in the NIST checklist are effectively\ndeveloped by NIST, to protect PII that    implemented through its ongoing and planned security\nis accessed remotely or physically        testing and evaluation of information systems. The\ntransported outside an agency\xe2\x80\x99s           FDIC performed risk assessments of its major\nsecured physical perimeter. The           applications and general support systems prior to the\nintent of the controls contained in the   final publication of NIST SP 800-53 in February 2005.\nchecklist is to compensate for the lack   At the time the risk assessments were conducted, the\nof physical security controls when        FDIC was planning to perform separate, streamlined\ninformation is removed or accessed        risk assessments of its non-major information systems\nfrom outside an agency\xe2\x80\x99s facilities.      that process sensitive information (including PII) in\n                                          support of system security certification and\n                                          accreditation. In the spring of 2006, the FDIC decided\n                                          to forgo that approach and, instead, aggregate its non-\n                                          major applications into a major application or general\n                                          support system to achieve efficiencies in its\n                                          certification and accreditation practices. To the extent\n                                          that non-major information systems processing PII are\n                                          included in the aggregation, further risk assessments\n                                          and security testing and evaluation may be required,\n                                          and additional control measures may be necessary to\n                                          ensure that remote access, transport, and storage of PII\n                                          are properly safeguarded.\n\nM-06-19, Reporting Incidents\nInvolving Personally Identifiable\nInformation and Incorporating the\nCost for Security in Agency\nInformation Technology Investments\nThe agency reports all incidents          FDIC Circular 1360.9, Protecting Sensitive\ninvolving PII to the U.S. Computer        Information, states that the FDIC\xe2\x80\x99s Computer Security\nEmergency Readiness Team                  Incident Response Team shall notify the US-CERT\n(US-CERT) within 1 hour of                within 1 hour of an incident if the incident involves the\ndiscovering the incident.                 loss or compromise of PII. This circular also requires\n                                          (1) immediate reporting of an event in which sensitive\n                                          data are suspected or known to be lost or otherwise\n                                          compromised to the DIT Help Desk and (2) notification\n                                          be made to the supervisor/oversight manager and\n                                          division/office Information Security Manager at the\n                                          earliest opportunity. In addition, the FDIC prepared a\n                                          breach notification plan and procedures for responding\n                                          to PII breaches in response to OMB Memorandum\n                                          M-07-16.\n\n\n\n                                               11\n\x0cOMB Memorandum M-07-16,\nSafeguarding Against and\nResponding to the Breach of\nPersonally Identifiable Information\nBreach Notification Policy. The        The FDIC is currently working to augment its\nagency implements a breach             corporate breach notification policy with procedures\nnotification policy consistent with    for responding to PII breaches. The procedures address\nOMB Memorandum M-07-16 and             certain matters, outlined in OMB Memorandum\nprior OMB memoranda. The policy        M-07-16, that are not in current FDIC policy, such as\nis to be implemented within 120 days   privacy requirements for reporting and handling PII\nof the date of the OMB memorandum      breaches and external notifications on such breaches.\n(i.e., not later than September 19,\n2007).\n\nReducing PII. To reduce the risk of    The CPO initiated a remediation project in 2005 to\na breach of PII, the agency reduces    assess the use and protection of SSNs and employee\nthe volume of collected and retained   identification numbers in the FDIC\xe2\x80\x99s information\nPII to the minimum necessary.          systems. This project includes reducing the use of PII\n                                       in FDIC systems, wherever practical, to reduce the risk\n                                       of a breach of PII. This project is ongoing.\n\n\n\n\n                                            12\n\x0c                                                                                       APPENDIX I\n\n\n                        OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of the audit was to assess the status of the FDIC\xe2\x80\x99s privacy program\nactivities and initiatives. Our work focused on the status of the FDIC\xe2\x80\x99s efforts to address\nselected key provisions of privacy-related memoranda recently issued by OMB. As part\nof our work, we followed up on privacy-related issues identified in prior audit reports as\ndetailed in the Audit Coverage section below. Additionally, the OIG contracted\nseparately with KPMG to conduct a performance audit of the FDIC\xe2\x80\x99s information\nsecurity program and practices pursuant to FISMA. As part of its security program\nevaluation, KPMG prepared responses to security-related questions directed to agency\nIGs in OMB Memorandum M-07-19. KPMG\xe2\x80\x99s security program evaluation report, 16\ntogether with this report, fulfill the FDIC OIG\xe2\x80\x99s reporting responsibilities under FISMA\nand related OMB guidance.\n\nWe performed the audit at the FDIC\'s offices in Arlington, Virginia, from June through\nAugust 2007. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\nScope and Methodology\n\nTo accomplish the objective, we interviewed key FDIC officials with privacy\nresponsibilities, including the Chief Information Security Officer and Privacy Program\nManager. Additionally, we reviewed relevant laws and regulations and the FDIC\xe2\x80\x99s\nprivacy program policies, procedures, and guidance. We also reviewed key privacy-\nrelated documentation, including PIAs, status reports, privacy-awareness training\nmaterials, approvals for the use of persistent tracking technology, privacy-related reviews\nperformed by the FDIC, and the FDIC\xe2\x80\x99s breach notification plan and procedures.\n\nAudit Coverage\n\nAs a part of our current audit, we followed up on privacy-related issues identified in prior\naudit reports, particularly KPMG\xe2\x80\x99s January 2007 report, The FDIC\xe2\x80\x99s Compliance With\nSection 522 of the Consolidated Appropriations Act, 2005 (Report No. 07-003). We\nconsidered the results of these prior and current audits in planning and conducting our\naudit work:\n\n       \xe2\x80\xa2   FDIC OIG Audit Report No. 06-018, Response to Privacy Program Information\n           Request in OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions for FISMA and\n\n16\n     KPMG Report No. AUD-07-014 , Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program \xe2\x80\x93\n     2007, dated September 2007.\n\n                                                   13\n\x0c                                                                            APPENDIX I\n\n       Agency Privacy Management, dated September 22, 2006.\n   \xe2\x80\xa2   FDIC OIG Audit Report No. 06-020, The FDIC\xe2\x80\x99s Efforts to Comply with OMB\n       Memorandum M-06-16, Protection of Sensitive Agency Information, dated\n       September 25, 2006.\n   \xe2\x80\xa2   FDIC OIG Audit Report No. 07-003, The FDIC\xe2\x80\x99s Compliance With Section 522\n       of the Consolidated Appropriations Act, 2005, dated January 10, 2007.\n   \xe2\x80\xa2   OIG Audit Report No. 07-010, Division of Resolutions and Receiverships\n       Protection of Electronic Records, dated September 2007.\n   \xe2\x80\xa2   KPMG Report No. AUD-07-014, Independent Evaluation of the FDIC\xe2\x80\x99s\n       Information Security Program \xe2\x80\x93 2007, dated September 2007.\n\nCompliance With Laws and Regulations\n\nOur assessment of compliance with laws and regulations was limited to the portions of\nstatutes directly related to the FISMA reporting instructions on assessments to be\nperformed by the IGs. Specifically, we evaluated whether the FDIC had established\nprocesses for conducting PIAs as required by the E-Government Act of 2002. Our audit\nalso assessed the FDIC\xe2\x80\x99s progress in implementing PII safeguards recommended in OMB\nmemorandum M-06-15, Safeguarding Personally Identifiable Information, which\nreemphasizes agency responsibilities under law, in particular the Privacy Act of 1974.\nAppendix II contains information regarding privacy-related laws, policies, and\nguidelines.\n\nReliance on Computer-based Data, Government Performance and Results Act, and\nFraud and Illegal Acts\n\nOur audit objective was limited to assessing the status of the FDIC\xe2\x80\x99s privacy program\nactivities and initiatives. Accordingly, to answer our audit objective, we did not consider\nit necessary to develop procedures to assess the reliability of computer-based data or\nprivacy program performance measures. In addition, we did not design specific audit\nprocedures to detect fraud; however, throughout the audit, we were sensitive to the\npotential for fraud and illegal acts. No indications of fraud or illegal acts came to our\nattention during the audit.\n\n\n\n\n                                            14\n\x0c                                                                                                  APPENDIX II\n\n                PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES\n\nA number of federal statutes, policies, and guidelines are aimed at protecting (1) PII from\nunauthorized use, access, disclosure, or sharing and (2) associated information systems from\nunauthorized access, modification, disruption, or destruction. Brief descriptions of key\nprivacy-related statutes, policies, and guidelines and their legal effect on the FDIC follow.\n\nThe Privacy Act of 1974 (http://www.usdoj.gov/oip/privstat.htm)\nImposes various requirements for federal agencies whenever they collect, create, maintain, and distribute records\n(as defined in the Act, and regardless of whether they are in hardcopy or electronic format) that can be retrieved by\nthe name of an individual or other identifier. One such requirement is to establish appropriate administrative,\ntechnical, and physical safeguards to ensure the security and confidentiality of records and to protect against any\nanticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment,\ninconvenience, or unfairness to any individual about whom information is maintained. The Act also prohibits\nreleasing data on individuals without their permission, subject to various exceptions. Moreover, the Act requires\nagencies to publish the Federal Register notices that describe the systems of records the agencies maintain on\nindividuals. As a federal agency, the FDIC is subject to the requirements of the Act.\n\nThe Paperwork Reduction Act of 1995 (http://www.archives.gov/federal-register/laws/paperwork-reduction/)\nRequires the Director of OMB to develop policies that protect the privacy of the information maintained by\nagencies (including the FDIC). See the discussions of OMB Circulars and memoranda that follow.\n\nThe E-Government Act of 2002, (http://www.cio.gov/archive/e_gov_act_2002.pdf)\nSeeks to promote electronic government services and to enhance access to government information consistent with\nlaws regarding personal privacy. Section 207 of the Act is intended to improve the methods by which government\ninformation, including information on the Internet, is organized, preserved and made accessible to the public.\nSection 208 is intended to protect personal information by requiring agencies to (1) conduct PIAs of information\nsystems and collections and, in general, make PIAs publicly available; and (2) report annually to the OMB on\ncompliance with section 208. The Act also requires the Director, OMB to draft guidelines regarding (1) agency\nposting of privacy policies on agency Web sites used by the public; and (2) translate privacy policies into a\nmachine-readable format. The FDIC has determined that it is subject to the requirements of this provision. Refer\nto FISMA legislation for additional information.\n\nFederal Information Security Management Act of 2002 (FISMA) (title III of the E-Government Act of 2002)\n(http://csrc.nist.gov/policies/FISMA-final.pdf)\nRequires federal agencies, including the FDIC, to develop, document, and implement an agency-wide information\nsecurity program that provides security for the information and systems that support the operations and assets of\nthe agency, including those provided or managed by another agency, contractor, or other source. FISMA directs\nagencies to have an annual independent evaluation performed of their information security program and practices\nand to report the results of the evaluation to OMB.\n\nSection 522 of the Transportation, Treasury, Independent Agencies, and General\nGovernment Appropriations Act, 2005 (Division H of the Consolidated\nAppropriations Act, 2005) (http://frwebgate.access.gpo.gov/cgi-\nbin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ447.108.pdf (See page 460 of 658))\nRequires, among other things, that agencies protect PII, designate a CPO, conduct PIAs under appropriate\ncircumstances, report to the Congress and agency IG on privacy matters, and provide training to employees on\nprivacy and data protection policies. Section 522 also requires that every 2 years, the agency IG contract with an\nindependent third party to conduct a review of the agency\xe2\x80\x99s privacy program and practices and that the IG issue a\nreport based on that review. The FDIC has determined that section 522 of the Act applies to the Corporation.\n\n\n\n\n                                                         15\n\x0c                                                                                                      APPENDIX II\n\nFederal Information Processing Standards Publication (FIPS PUB) 199, Standards\nfor Security Categorization of Federal Information and Information Systems\n(http://csrc.nist.gov/publications/fips/fips199/FIPSPUB- 199-final.pdf)\nDescribes standards to be used by all federal agencies to categorize all information and information systems\ncollected or maintained by, or on behalf of, each agency based on the objectives of providing appropriate levels of\ninformation security according to a range of impact levels. This publication establishes security categorization\nstandards for information and information systems based on the potential impact on an organization should certain\nevents occur that jeopardize the information and information systems needed by the organization to accomplish its\nmission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect\nindividuals. By its terms, this publication is not legally binding on the FDIC, but the FDIC intends to follow its\nprinciples.\n\nFIPS PUB 200, Minimum Security Requirements for Federal Information and\nInformation Systems (http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf)\nSpecifies minimum security requirements for federal information and information systems supporting the\nexecutive agencies of the federal government in 17 security-related areas. The 17 areas represent a broad-based,\nbalanced information security program that addresses the management, operational, and technical aspects of\nprotecting federal information and information systems. An agency must determine information system level\nimpacts under the FIPS PUB 199 standard prior to considering the minimum security requirements and appropriate\nsecurity controls under the FIPS PUB 200 standard. The FDIC has determined that the minimum requirements of\nthis publication are reasonable best practices which the FDIC should seek to follow.\n            17\nNIST SP 800-53 Rev. 1, Recommended Security Controls for Information Systems\n(http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf)\nFederal agencies must meet the minimum security requirements defined in NIST FIPS PUB 200 through the use of the\nsuggested controls in NIST SP 800-53 Rev. 1.\n\nNIST SP 800-60, Volume I: Guide for Mapping Types of\nInformation and Information Systems to Security Categories (http://csrc.nist.gov/publications/nistpubs/800-\n60/SP800-60V1-final.pdf)\nContains basic guidelines for mapping types of information and information systems to security categories. This\nguidance maps identification types to the security categories and objectives and impact levels that are defined in\nFIPS PUB 199.\n\nNIST SP 800-60, Volume II: Guide for Mapping Types of Information and\nInformation Systems to Security Categories (http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-\nfinal.pdf)\nContains the appendixes, including examples of impact assignments and security categorization rationale. This\nvolume is to be used in conjunction with NIST 800-60 Volume I.\n\nNIST SP 800-64, Security Considerations in the Information Systems Development\nLife Cycle (http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf)\nProvides a framework for incorporating security into all phases of the information system development life cycle\nprocess, from initiation to disposal. Included within the framework are requirements to consider privacy\nprotection measures in accordance with relevant privacy-related federal guidance.\n\nNIST SP 800-30, Risk Management Guide for Information Technology Systems\n(http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)\n\n\n17\n     NIST Special Publications contain guidelines or best practices that agencies should consider. These publications are\n     not legally binding on the FDIC, but the FDIC\xe2\x80\x99s policy is, in general, to comply with them voluntarily.\n\n\n\n\n                                                            16\n\x0c                                                                                                   APPENDIX II\n\nProvides a foundation for the development of an effective risk management program, containing both the\ndefinitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.\nThe publication also provides information on the selection of cost-effective security controls. Such controls can be\nused to mitigate risk for the better protection of mission-critical information and the IT systems that process, store,\nand carry this information.\n\nOMB Circular No. A-130, Management of Federal Information Resources\n(http://www.whitehouse.gov/omb/circulars/a130/a130trans4.pdf)\nEstablishes policy for the management of federal information technology. The circular contains two relevant\nappendixes:\n\n         Appendix I, Federal Agency Responsibilities for Maintaining Records About\n         Individuals, describes agency responsibilities for implementing the reporting and publication\n         requirements of the Privacy Act of 1974. The head of each agency shall ensure that the following\n         reviews are conducted: section (m) contracts (i.e., whereby agencies contract-out systems of records to\n         accomplish an agency function); recordkeeping practices; routine use disclosures; exemption of systems\n         of records; matching programs; Privacy Act training; violations; and systems of records notices. The\n         FDIC has determined that OMB Circular No. A-130, Appendix I, applies to the Corporation.\n\n         Appendix III, Security of Federal Automated Information Resources, requires agencies to establish\n         controls to assure adequate security for all information processed, transmitted, or stored in federal\n         automated information systems. OMB A-130 Appendix III defines adequate security as security\n         commensurate with the risk and magnitude of harm resulting from the loss; misuse; or unauthorized\n         access to, or modification of, information. Most of the Circular\xe2\x80\x99s provisions are legally binding on the\n         FDIC.\n\nOMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government\nAct of 2002 (http://whitehouse.gov/omb//memoranda/m03-22.html)\nProvides detailed guidance to agencies on how to implement section 208 of the E-Government Act, see above. It\nprovides definitions and explains when PIAs are or are not required, the manner in which PIAs are conducted, and\ntheir relationship with the Paperwork Reduction Act and the Privacy Act. The memorandum contains\nrequirements for agency website, specifically regarding privacy policies and persistent tracking technologies\n("cookies"). Other provisions address privacy policies in machine readable formats, responsibilities of agency\nofficials, and reporting requirements. To the extent that the provisions of this memorandum are legally binding on\nthe FDIC, the FDIC has taken steps to implement those provisions or has otherwise taken them into account.\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy\n(http://www.whitehouse.gov/omb/memoranda/fy2005/m05-08.pdf)\nRequests that agencies designate a senior official for privacy. The FDIC complied with the memorandum by\ndesignating the CPO as the senior agency official.\n\nOMB Memorandum M-06-15, Safeguarding Personally Identifiable Information\n(http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf)\nDescribes responsibilities and the policy for appropriately safeguarding sensitive PII and for training employees on\ntheir responsibilities in this area. OMB requires the senior agency official for privacy to conduct a review of\npolicies and processes and take corrective action as appropriate to ensure adequate safeguards exist to prevent\nmisuse or authorized access to PII. Any weaknesses are to be identified in a security POA&M consistent with\nFISMA. According to the FDIC, to the extent that the provisions of OMB Memorandum M-06-15 are legally\nbinding on the FDIC, the FDIC has taken steps to implement those provisions or has otherwise taken them into\naccount.\n\n\n\n\n                                                          17\n\x0c                                                                                                 APPENDIX II\n\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information\n(http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf)\nIncludes a checklist for agency use in protecting PII that is remotely accessed or transported outside the agency.\nThe checklist is based on NIST SPs 800-53, Recommended Security Controls for Federal Information Systems;\nand 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Second Public Draft). In\naddition, M-06-16 recommends the encryption of all data on mobile computers/devices that carry sensitive data,\ntwo-factor authentication for remote access, \xe2\x80\x9ctime-out\xe2\x80\x9d functions for remote access and mobile devices, and the\nlogging of all computer-readable data extracts from databases containing sensitive information. According to the\nFDIC, to the extent that the provisions of OMB Memorandum M-06-16 are legally binding on the FDIC, the\nFDIC has taken steps to implement those provisions or has otherwise taken them into account.\n\nOMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\nInformation and Incorporating the Cost for Security in Agency Information Technology Investments\n(http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf)\nProvides guidance on the reporting of security incidents involving PII. This guidance requires all agencies to\nreport all suspected or confirmed breaches involving PII in an electronic or physical form, within 1 hour of\ndiscovering the incident, to the U.S. Center Emergency Readiness Team, a federal incident response center located\nwithin the U.S.Department of Homeland Security. According to the FDIC, to the extent that the provisions of\nOMB Memorandum M-06-19 are legally binding on the FDIC, the FDIC has taken steps to implement those\nprovisions or has otherwise taken them into account.\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf)\nReiterates the need for agencies to comply with NIST standards and guidelines in connection with system\ncertifications and accreditations and to train employees on privacy and security responsibilities. In addition, OMB\nMemorandum M-07-16 requires agencies to review and reduce the volume of PII and the use of SSNs in their\nrecords and to implement five security requirements from M-06-16 (see above). Newly added is the requirement\nfor agencies to develop and implement a policy by September 19, 2007 for notifying third parties of security\nbreaches involving PII. The FDIC will voluntarily comply with the provisions in Memorandum M-07-16.\n\nOMB Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (http://www.whitehouse.gov/omb/memoranda/fy2007/m07-\n19.pdf)\nProvides instructions for meeting the reporting requirements under FISMA for fiscal year 2007. The\nmemorandum also includes instructions for reporting the status of the privacy management program. It is the\nFDIC\xe2\x80\x99s practice to comply with the OMB\xe2\x80\x99s FISMA instructions.\n\nFDIC Rules and Regulations\n\n          Part 309, Disclosure of Information (http://www.fdic.gov/regulations/laws/rules/2000-3800.html) sets\nforth the basic policies of the FDIC regarding the information it maintains and the procedures for obtaining access\nto such information.\n\n         Part 310, Privacy Act Regulations, (http://www.fdic.gov/regulations/laws/rules/2000-3900.html)\nestablishes regulations implementing the Privacy Act of 1974 by delineating the procedures that an individual\nmust follow in exercising his or her access or amendment rights under the Privacy Act of 1974 to records\nmaintained by the Corporation in its systems of records, as defined in the Act.\n\nFDIC Circular 1023.1, Procedures for Processing Freedom of Information Act Requests\n(http://fdic01/division/doa/adminservices/records/directives/1000/1023-1.doc)\nContains the FDIC\xe2\x80\x99s procedures for processing requests and appeals pursuant to the Freedom of Information Act.\n\n\n\n\n                                                        18\n\x0c                                                                                                 APPENDIX II\n\nFDIC Circular 1031.1, Administration of the Privacy Act\n(http://fdic01/division/doa/adminservices/records/directives/1000/1031-1.doc)\nEstablishes requirements for the collection, maintenance, use, and dissemination of records subject to the Privacy\nAct of 1974.\n\nFDIC Circular 1360.9, Protecting Sensitive Information\n(http://fdic01/division/doa/adminservices/records/directives/1000/1360-9.doc)\nEstablishes FDIC policy on protecting sensitive information collected and maintained by the Corporation and\nprovides guidance for safeguarding the information.\n\nFDIC Circular 1360.12, Reporting Computer Security Incidents\n(http://fdic01/division/doa/adminservices/records/directives/1000/1360-12.doc)\nEstablishes FDIC policy on reporting suspected computer security incidents affecting all FDIC automated\ninformation systems resources to the FDIC Computer Security Incident Response Team.\n\nFDIC Circular 1360.16, Mandatory Information Security Awareness Training\n(http://fdic01/division/doa/adminservices/records/directives/1000/1360-16.doc)\nEstablishes FDIC policy on mandating annual information security awareness training for all employees and\ncontractors who are involved in the management, use, or operation of a federal computer system within or under\nthe supervision of FDIC.\n\nDivision of Information Technology IT Policy Memorandum, Cookies in Internet\nProduct (http://fdic01.prod.fdic.gov/division/dit/cookies.html)\nEstablishes the policy and standard for the use of cookies in Internet, FDICnet, and extranet-type products\ndeveloped or deployed by the FDIC.\n\n\n\n\n                                                        19\n\x0c'